Skip to content

Commit

Permalink
chore: sync using atmosphere-ci
Browse files Browse the repository at this point in the history
  • Loading branch information
@vexxhost-bot @mnaser
vexxhost-bot authored and mnaser committed Nov 3, 2023
1 parent a60c44c commit 191416b
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 27 deletions.
69 changes: 47 additions & 22 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,19 +13,21 @@ on:
- main
jobs:
image:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
id-token: write
security-events: write
runs-on: ubuntu-latest
strategy:
matrix:
exclude:
- from: focal
release: zed
- from: focal
release: "2023.1"
- from: focal
release: "2023.2"
- from: jammy
release: wallaby
- from: jammy
Expand All @@ -39,6 +41,7 @@ jobs:
- yoga
- zed
- "2023.1"
- "2023.2"
steps:
- name: Install QEMU static binaries
uses: docker/setup-qemu-action@v2
Expand All @@ -47,10 +50,7 @@ jobs:
- name: Checkout project
uses: actions/checkout@v3
- name: Setup environment variables
run: |-
echo PROJECT_REF=$(cat manifest.yml | yq '."${{ matrix.release }}".sha') >> $GITHUB_ENV
echo BUILDER_IMAGE=quay.io/vexxhost/openstack-builder-${{ matrix.from }}:b30eefa3016d4d18ad81a25526617859576fe172 >> $GITHUB_ENV
echo RUNTIME_IMAGE=quay.io/vexxhost/openstack-runtime-${{ matrix.from }}:501efbc97d293436af82a18076b4369380856532 >> $GITHUB_ENV
run: echo PROJECT_REF=$(cat manifest.yml | yq '."${{ matrix.release }}".sha') >> $GITHUB_ENV
- name: Authenticate with Quay.io
uses: docker/login-action@v2
if: ${{ github.event_name == 'push' }}
Expand All @@ -62,15 +62,48 @@ jobs:
uses: sigstore/cosign-installer@main
- name: Verify images
run: |-
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/vexxhost/docker-openstack-builder/.github/workflows/build.yml@refs/heads/main ${BUILDER_IMAGE}
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/vexxhost/docker-openstack-runtime/.github/workflows/build.yml@refs/heads/main ${RUNTIME_IMAGE}
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/vexxhost/docker-openstack-builder/.github/workflows/build.yml@refs/heads/main quay.io/vexxhost/openstack-builder-${{ matrix.from }}:b30eefa3016d4d18ad81a25526617859576fe172
cosign verify --certificate-oidc-issuer=https://token.actions.githubusercontent.com --certificate-identity=https://github.com/vexxhost/docker-openstack-runtime/.github/workflows/build.yml@refs/heads/main quay.io/vexxhost/openstack-runtime-${{ matrix.from }}:f2098f520d8f5c191c271ebdb6e20e761d8ce0be
- name: Build image
uses: docker/build-push-action@v3
with:
build-args: |-
BUILDER_IMAGE=quay.io/vexxhost/openstack-builder-${{ matrix.from }}:b30eefa3016d4d18ad81a25526617859576fe172
RUNTIME_IMAGE=quay.io/vexxhost/openstack-runtime-${{ matrix.from }}:f2098f520d8f5c191c271ebdb6e20e761d8ce0be
RELEASE=${{ matrix.release }}
PROJECT=horizon
PROJECT_REPO=https://github.com/vexxhost/horizon
PROJECT_REF=${{ env.PROJECT_REF }}
EXTRAS=
PROFILES=apache
DIST_PACKAGES=
PIP_PACKAGES=cryptography python-binary-memcached git+https://github.com/openstack/designate-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/heat-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/ironic-ui.git@stable/${{ matrix.release }} git+https://github.com/vexxhost/magnum-ui.git@stable/${{ matrix.release }} git+https://github.com/openstack/neutron-vpnaas-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/octavia-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/senlin-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/monasca-ui.git@stable/${{ matrix.release }} git+https://github.com/openstack/manila-ui.git@stable/${{ matrix.release }}
cache-from: type=gha,scope=${{ matrix.from }}-${{ matrix.release }}
cache-to: type=gha,mode=max,scope=${{ matrix.from }}-${{ matrix.release }}
context: .
load: "true"
tags: quay.io/vexxhost/horizon:${{ env.PROJECT_REF }}-${{ matrix.from }}-${{ github.sha }}
env:
DOCKER_CONTENT_TRUST: "1"
- name: Scan image for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
format: sarif
ignore-unfixed: "true"
image-ref: quay.io/vexxhost/horizon:${{ env.PROJECT_REF }}-${{ matrix.from }}-${{ github.sha }}
output: trivy-results.sarif
- name: Upload scan result
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
category: ${{ env.PROJECT_REF }}-${{ matrix.from }}
sarif_file: trivy-results.sarif
- name: Build image
uses: docker/build-push-action@v3
id: push-step
with:
build-args: |-
BUILDER_IMAGE=${{ env.BUILDER_IMAGE }}
RUNTIME_IMAGE=${{ env.RUNTIME_IMAGE }}
BUILDER_IMAGE=quay.io/vexxhost/openstack-builder-${{ matrix.from }}:b30eefa3016d4d18ad81a25526617859576fe172
RUNTIME_IMAGE=quay.io/vexxhost/openstack-runtime-${{ matrix.from }}:f2098f520d8f5c191c271ebdb6e20e761d8ce0be
RELEASE=${{ matrix.release }}
PROJECT=horizon
PROJECT_REPO=https://github.com/vexxhost/horizon
Expand All @@ -81,27 +114,19 @@ jobs:
PIP_PACKAGES=cryptography python-binary-memcached git+https://github.com/openstack/designate-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/heat-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/ironic-ui.git@stable/${{ matrix.release }} git+https://github.com/vexxhost/magnum-ui.git@stable/${{ matrix.release }} git+https://github.com/openstack/neutron-vpnaas-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/octavia-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/senlin-dashboard.git@stable/${{ matrix.release }} git+https://github.com/openstack/monasca-ui.git@stable/${{ matrix.release }} git+https://github.com/openstack/manila-ui.git@stable/${{ matrix.release }}
cache-from: type=gha,scope=${{ matrix.from }}-${{ matrix.release }}
cache-to: type=gha,mode=max,scope=${{ matrix.from }}-${{ matrix.release }}
sbom: true
context: .
platforms: linux/amd64
push: ${{ github.event_name == 'push' }}
sbom: "true"
tags: quay.io/vexxhost/horizon:${{ env.PROJECT_REF }}-${{ matrix.from }}-${{ github.sha }}
env:
DOCKER_CONTENT_TRUST: "1"
- name: Promote image
uses: akhilerm/[email protected]
if: github.event_name == 'push' && ((matrix.from == 'focal') || (matrix.from == 'jammy' && matrix.release != 'yoga'))
with:
dst: quay.io/vexxhost/horizon:${{ matrix.release }}
src: quay.io/vexxhost/horizon:${{ env.PROJECT_REF }}-${{ matrix.from }}-${{ github.sha }}
- name: Sign the container image
if: ${{ github.event_name == 'push' }}
run: cosign sign --yes quay.io/vexxhost/horizon@${{ steps.push-step.outputs.digest }}
- uses: aquasecurity/trivy-action@master
with:
image-ref: quay.io/vexxhost/horizon:${{ env.PROJECT_REF }}-${{ matrix.from }}-${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
- uses: github/codeql-action/upload-sarif@v2
with:
category: ${{ env.PROJECT_REF }}-${{ matrix.from }}
sarif_file: 'trivy-results.sarif'
if: ${{ github.event_name == 'push' }}
12 changes: 7 additions & 5 deletions manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
wallaby:
sha: b79ffad5c302a60e5a61f0938ec87b8e98ee44f1
sha: 9b1a13e0837b9f0ac3e0e919ad0a270d417003db
xena:
sha: 9d488bdcea6d08e7d7a9fc62d00637334674c08b
sha: 050914d8b68bf049097bdd5656084df9ba64e684
yoga:
sha: 47715e19b64dff671153b8e87e54994d8c52f70f
sha: eb57aa5300be01a349684a8aa07d9a973357cf7d
zed:
sha: 80e180076e1fa4e3c85a91859a1fc20566afeea0
sha: b1a26caae888b7f75720046c22838a90a228f2ac
"2023.1":
sha: 3dd3d4ffe09b62569b187f2b0efb88dbfc1eddaf
sha: aacb531610284313035bb0d51bad840a0ebed9b4
"2023.2":
sha: c62527488bfeab588c4abbc8426688e4feef87a4

0 comments on commit 191416b

Please sign in to comment.